Description
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here:
* https://w4ke.info/2025/06/18/funky-chunks.html

* https://w4ke.info/2025/10/29/funky-chunks-2.html


Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error.


POST / HTTP/1.1
Host: localhost
Transfer-Encoding: chunked

1;ext="val
X
0

GET /smuggled HTTP/1.1
...





Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Published: 2026-04-14
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: HTTP Request Smuggling
Action: Apply Patch
AI Analysis

Impact

The Eclipse Jetty HTTP/1.1 parser incorrectly terminates parsing of chunk extensions when a quoted string is not closed, treating the CRLF inside the string as a boundary. This flaw enables an attacker to embed a second HTTP request within a single connection by sending a crafted chunked request. The smuggled request is processed downstream without being seen by the front‑end proxy, allowing the attacker to potentially bypass authentication checks or other controls.

Affected Systems

Products impacted are those that include the Eclipse Jetty web server. Versions of Jetty before the published fix are potentially vulnerable. No specific version range is documented in this advisory.

Risk and Exploitability

The CVSS v3 score of 7.4 indicates high severity. EPSS data is not available and the vulnerability is not listed in CISA's KEV catalog. The flaw can be exploited remotely by anyone with network access to the Jetty instance; no authentication or local privileges are required. An attacker can issue a single HTTP request containing a malformed chunk extension to trigger the smuggling behavior, potentially bypassing authorisation or affecting request routing.

Generated by OpenCVE AI on April 14, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Eclipse Jetty to the latest version that contains the CVE‑2026‑2332 fix
  • After upgrading, verify correct handling of chunked requests by running test cases similar to the described payload
  • If a patch is not yet available, block or reject requests that use Transfer‑Encoding: chunked on the network perimeter, or enforce strict header validation
  • Monitor Jetty security advisories for updates and apply subsequent patches as soon as they become available

Generated by OpenCVE AI on April 14, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-355h-qmc2-wpwf Jetty has HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
History

Thu, 16 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse jetty
Vendors & Products Eclipse
Eclipse jetty

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treating this as an error. POST / HTTP/1.1 Host: localhost Transfer-Encoding: chunked 1;ext="val X 0 GET /smuggled HTTP/1.1 ... Note how the chunk extension does not close the double quotes, and it is able to inject a smuggled request.
Title HTTP Request Smuggling via Chunked Extension Quoted-String Parsing
Weaknesses CWE-444
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Eclipse Jetty
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-04-15T03:58:12.322Z

Reserved: 2026-02-11T09:56:25.879Z

Link: CVE-2026-2332

cve-icon Vulnrichment

Updated: 2026-04-14T13:08:48.379Z

cve-icon NVD

Status : Received

Published: 2026-04-14T12:16:21.333

Modified: 2026-04-14T12:16:21.333

Link: CVE-2026-2332

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-14T10:59:10Z

Links: CVE-2026-2332 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:35Z

Weaknesses